Ampol Australia

In today’s hyper connected world, traditional methods of securing critical infrastructure are being challenged. This is primarily driven by business owners who demand more efficient, cost effective solutions that are designed to connect more devices and services to various consumption points.

In line with the proliferation of devices and services transiting networks, the need to deliver elevated security posture is heightened. The continuously evolving threat landscape is one of the main issues presenting significant challenges to organisations.

This creates a problem for those in operational roles: how to provide extremely agile and effective environments which provide access and transit for multiple use cases – in line with business requirements, while maintaining best practice from a security posture perspective.

Cisco has an extremely strong history of innovating to address business requirements. Partnerships with specialist organisations like Outcomex, who have deep technical and engineering experience integrating Cisco platforms, provides customers with holistic solutions which are robust, drive efficiency and map technical outcomes to business initiatives.

Background

Ampol Limited (ASX: ALD), previously branded as Caltex Australia, is an Australian petroleum company, with headquarters in Sydney, New South Wales. It was first incorporated in 1936 in New South Wales to market petrol for its chain of service stations. In 1995, Ampol merged with Caltex to form Australian Petroleum, which in 1997 became Caltex Australia.

The organisation owns and operates a number of operations delivering fuel and consumer products via a network of service stations around Australia, as well as significant fuel management, wholesale transit and processing plant infrastructure – including two refinery plants – around the country.

Ampol has several commercial partnerships in Australia, including major contracts with Woolworths Ltd, and also conducts operations in South East Asia and New Zealand.

Due to the critical nature of the processing and transit infrastructure required to supply different types of fuels to large consumers and plants around NSW, Ampol has significant contracts with multiple specialist engineering organisations around the state.

These contracts provide logistical and operational support of the pipeline, pump, and refinery assets, delivered on a just-in-time basis with aggressive service level agreements. Ampol has expended significant commercial and engineering effort to ensure that the IP based networks that drive communication systems for control of these assets (the Operational Technology or OT Network) is resilient, fit for purpose and on the forefront of capability.

Problem

As reliance on OT Networks increases due to automation requirements, efficiency potential, and other use cases, the traditional ‘closed’ nature of the network is being challenged. In the Ampol environment, the enablement of contractors, third party, and internal staff to work within the OT environment safely and securely was a paramount concern.

Various workstreams within the OT environment require specialist engineering skills be utilised by Ampol in day-to-day operational tasks, project initiatives and incident management and troubleshooting. This means an array of engineering assets need to be identified, assigned permissions, allowed access, and have their movements through the network journaled and logged.

For Ampol to extend operational efficiency through their population of trusted staff and contractors, delivering an efficient NAC environment is absolutely key. Speed and accuracy are paramount, as downtime due to delay in delivering engineering is directly attributable to reputational and financial loss. However, speed of access and onboarding cannot be delivered without strict adherence to security policy.

The reliance on critical infrastructure providers to push workloads into OT networks is not lost on malicious entities. Instances of cyber-attacks on utility providers are increasing and as a response, owners of OT networks expend significant effort protecting, maintaining, and securing these environments from attack and exposure.

The Ampol conundrum was simply this: how to enable free and efficient access to trusted third parties, while maintaining the best possible security posture?

Solution

Cisco’s rich history of providing innovative and fit for purpose infrastructure within Ampol, combined with the demonstrable capabilities of Outcomex within the NAC and security arena made these partnerships were bought to bear.

Traditionally, access to the OT network was controlled by a mixture of process (identity, change management, etc.), and toolsets. The toolsets deployed required renovation due to their age and new business requirements, which would then provide an opportunity to promote more efficient processes. Removing redundant steps and automating elements of identity management could deliver significant time savings and reduction of human error.

Outcomex and Cisco put forth a solution based on Cisco Identity Services Engine (ISE). This class leading network access control platform met all fundamental functional requirements, as well as provided new features. ISE’s new features offered a better, more efficient contractor on-boarding process and overall strengthened security posture.

A number of physical ISE appliances were deployed in Ampol data centres, and allocated administration, policy and monitoring roles. These appliances were sized appropriately to ensure minimum network latency as well as configured in a highly redundant manner to provide maximum resiliency.

Business outcome-based workshops were conducted to settle a high-level design, then a low-level configuration design was delivered which also worked through key concepts for deployment of various policies. These policies were designed to encompass several different third-party roles, within segmented parts of the OT environment with permissions and resource allocation dynamically assigned per user, organisation, and role.

Automation based on policies was also leveraged where possible, providing administration free remediation capabilities for failed profiling sessions – streamlining problem management and allowing elements of self service for both internal and external users.

Key capabilities that were leveraged within the ISE platform include:

Tight integration with an advanced Microsoft Active Directory and domain structure.
Profiling of external and internal users.
Log generation and retention, with journaling of activity and access duration.
Integration with Cisco clientless VPN services.
Alerting and alarm management based on policies, with automation for remediation.

Conclusion and outcome

As a result of the successful delivery of the new network access control environment into Ampol, the business requirements set forth have been met and some areas exceeded.

Lead time to initiate safe access into the OT network segments has been significantly reduced. Contractors and third parties operate within the environment under strict policies and roles, which are standardised across the business. These standardised control policies have been rationalised, to streamline management and promote predictable delivery of access across internal and external stakeholders.

Ampol is enjoying significant value, post project delivery. Operationally, SLA achievement for incident management works is higher due to reduced lead times for engineering access into the OT environment. Utilisation of ancillary and complimentary systems has increased because of integrations within the ISE environment, thereby increasing return on investment for pre-implemented platforms and solutions. Internal IT and administration investment of time has been reduced, through automation and self-service. Above all, security posture of their critical OT infrastructure environment has been increased.

Given the success of the initial deployment scope, Ampol have re-engaged with Outcomex to broaden the Network Access Control (NAC) environment with Cisco ISE, to extend into their consumer business (retail outlets and service stations) OT network environment. This project is now in its early stage of design and planning, with an estimated completion in mid-2021.